b"     ASSESSMENT REPORT\n           12-22\n\n\n\n\nWebtrust for Certification Authority\n      September 18, 2012\n\x0cDate\nSeptember 18, 2012\nTo\nChief Information Officer\nFrom\nInspector General\nSubject\nAssessment Report - Webtrust for Certification Authority\nReport Number 12-22\n\nEnclosed please find the subject final report. The Office of the Inspector General\nadministered a contract with Ernst & Young LLP (E&Y) to provide an opinion on the\nGovernment Printing Office\xe2\x80\x99s (GPO) assertions regarding their certification\nauthority process for July 1, 2011 through June 30, 2012. E&Y conducted their work\nin accordance with attestation standards established by the American Institute of\nCertified Public Accountants.\n\nE&Y concluded that GPO\xe2\x80\x99s assertion is fairly stated in all material respects. E&Y is\nresponsible for the attached report and the opinion expressed therein.\n\nWe appreciate the courtesies extended to E&Y and to our audit staff. If you have any\nquestions or comments about this report, please do not hesitate to contact me at\n(202) 512-0039.\n\n\n\n\nMichael A. Raponi\nInspector General\n\nEnclosure\n\ncc:\nActing Public Printer\nAssistant Public Printer, Operations\nGeneral Counsel\n\x0cUS Government\nPrinting Office\nReport of Independent Accountants\n\nWebtrust for CA\n\nFor the Period July 1, 2011 to June 30, 2012\n\x0c                                              Table of Contents\n\n\nReport of Independent Accountants ............................................................................. 1\n\nManagement Assertion ................................................................................................ 3\n\n\n\n\n1208-1385105\n\x0c                                                                     Ernst & Young LLP\n                                                                     Westpark Corporate Center\n                                                                     8484 Westpark Drive\n                                                                     McLean, VA 22102\n                                                                     Tel: + 1 703 747 1000\n                                                                     Fax: +1 703 747 0100\n                                                                     www.ey.com\n\n\n\n\n                          Report of Independent Accountants\n\nTo the Inspector General of the United States Government Printing Office and the\nManagement of the United States Government Printing Office Certification Authority:\n\nWe have examined the assertion by the management of the U.S. Government Printing Office\n(GPO) that in providing its Certification Authority (CA) services known as GPO Public Key\nInfrastructure Certification Authority (GPO-CA) in Washington, D.C. for the Root CA: GPO-CA\nduring the period July 1, 2011 through June 30, 2012, management of GPO has:\n\n   \xe2\x80\xa2   disclosed its Business, Key Life Cycle Management, Certificate Life Cycle Management,\n       and CA Environmental Control practices in its\n       \xe2\x80\xa2   Certification Practice Statements and\n       \xe2\x80\xa2   Certificate Policy\n   \xe2\x80\xa2   maintained effective controls to provide reasonable assurance that\n       \xe2\x80\xa2   GPO\xe2\x80\x99s Certification Practice Statements are consistent with its Certificate\n           Policy\n       \xe2\x80\xa2   GPO provides its services in accordance with its Certificate Policy and\n           Certification Practice Statements\n   \xe2\x80\xa2   maintained effective controls to provide reasonable assurance that\n       \xe2\x80\xa2   the integrity of keys and certificates it manages is established and\n           protected throughout their life cycles;\n       \xe2\x80\xa2   the integrity of subscriber keys and certificates it manages is established\n           and protected throughout their life cycles;\n       \xe2\x80\xa2   the Subscriber information is properly authenticated; and\n       \xe2\x80\xa2   subordinate CA certificate requests are accurate, authenticated and\n           approved\n   \xe2\x80\xa2   maintained effective controls to provide reasonable assurance that\n       \xe2\x80\xa2   logical and physical access to CA systems and data is restricted to\n           authorized individuals;\n       \xe2\x80\xa2   the continuity of key and certificate management operations is maintained;\n           and\n       \xe2\x80\xa2   CA systems development, maintenance and operations are properly\n           authorized and performed to maintain CA systems integrity\n\nfor the CA services known as GPO-CA, based on the AICPA/CICA Trust Services Criteria for\nCertification Authorities.\n\n\n                                                                                                                     1\n                                                                     A member firm of Ernst & Young Global Limited\n\x0cGPO\xe2\x80\x99s management is responsible for its assertion. Our responsibility is to express an opinion\non management\xe2\x80\x99s assertion based on our examination.\n\nOur examination was conducted in accordance with attestation standards established by the\nAmerican Institute of Certified Public Accountants, and accordingly, included (1) obtaining an\nunderstanding of GPO\xe2\x80\x99s key and certificate life cycle management business practices and its\ncontrols over key and certificate integrity, over the authenticity and privacy of subscriber and\nrelying party information, over the continuity of key and certificate life cycle management\noperations, and over the development, maintenance, and operation of systems integrity;\n(2) selectively testing transactions executed in accordance with disclosed key and certificate\nlife cycle management business practices; (3) testing and evaluating the operating\neffectiveness of the controls; and (4) performing such other procedures as we considered\nnecessary in the circumstances. We believe that our examination provides a reasonable basis\nfor our opinion.\n\nThe relative effectiveness and significance of specific controls at GPO and their effect on\nassessments of control risk for subscribers and relying parties are dependent on their\ninteraction with the controls, and other factors present at individual subscriber and relying\nparty locations. We have performed no procedures to evaluate the effectiveness of controls\nat individual subscriber and relying party locations.\n\nBecause of the nature and inherent limitations of controls, GPO\xe2\x80\x99s ability to meet the\naforementioned criteria may be affected. For example, controls may not prevent, or detect\nand correct, error, fraud, unauthorized access to systems and information, or failure to\ncomply with internal and external policies or requirements. Also, the projection of any\nconclusions based on our findings to future periods is subject to the risk that changes may\nalter the validity of such conclusions.\n\nIn our opinion, for the period July 1, 2011 through June 30, 2012, GPO management\xe2\x80\x99s\nassertion, as set forth in the first paragraph, is fairly stated, in all material respects, based on\nthe AICPA/CICA Trust Services Criteria for Certification Authorities.\n\nThe WebTrust seal of assurance for Certification Authorities on GPO\xe2\x80\x99s Web site constitutes a\nsymbolic representation of the contents of this report and it is not intended, nor should it be\nconstrued, to update this report or provide any additional assurance.\n\nThis report does not include any representation as to the quality of GPO's services beyond\nthose covered by the Trust Services Criteria for Certification Authorities, or the suitability of\nany of GPO\xe2\x80\x99s services for any customer's intended purpose.\n\n\n\n\n\xef\x81\xa5\xef\x81\xb9\nAugust 20, 2012\n\n\n\n\n                                                                                                                        2\n                                                                        A member firm of Ernst & Young Global Limited\n\x0c3\n\x0c4\n\x0c5\n\x0c"